I am creating a site that is basically a web-based RSS feed reader. Users can add feeds to their "homepage" from my feed database or enter their own URL. Is it dangerous to allow people to parse any feed? If so, is there anyway to protect against the dangers? Thanks for the help. I'm using MagpieRSS for feed parsing.
2006-08-03 08:29:46 · 2 answers · asked by Brady 3 in Computers & Internet ➔ Programming & Design
Magpie isn't designed to be used with untrusted URLs. A round of hardening is part of the design for the next version, but isn't out there yet.
That said the dangers associated with allowing people to display the results on their page are fairly obscure or trivial. There are a class of attacks like infinite gzip attacks which exist in theory, though I've never seen them applied to Magpie.
If you were allowing them to display feeds on *your* pages you need to be conscious of a number of possible attacks, the most serious of which are probably XSS attacks.
However the most common problem services like this have (e.g. feed2js) is not security but how to deal with their overwhelming popularity. Good luck.
2006-08-03 11:38:39 · answer #1 · answered by Kellan 1 · 5⤊ 1⤋
I recommend cleaning code from any RSS feed that you parse (you don't want any cross site scripting or anything). Other than that, as long as the feed doesn't wind up living on your system and you just parse it and send it right to the user, you should be ok.
2006-08-03 16:38:05 · answer #2 · answered by John J 6 · 0⤊ 0⤋